sherpa-onnx-tts

The skill matches its stated offline TTS purpose but hinges on downloading and executing unverifiable binaries and models from GitHub releases, without integrity checks. This creates supply-chain risk and elevated trust requirements. If integrity verification (checksums/signatures) or a trusted registry were provided, risk would be lower and more clearly benign; as-is, it is Suspicious-to-MEDIUM risk due to unverifiable binaries and lack of verification steps.